Token endpoint

To obtain an Access Token, an ID Token, and optionally a Refresh Token, the RP (Client) sends a Token Request to the Token Endpoint to obtain a Token Responses.

Request URL:

https://identify.safewhere.com/runtime/oauth2/token.idp

URI parameters:

Parameter Description
client_id The client identifier (required)
client_secrect The client secret (optional)
grant_type The grant type of the flow (required). We support one of the values: authorization_code / client_credentials / password /refresh_token / urn:ietf:params:oauth:grant-type:device_code
scope one or more registered scopes (optional)
redirect_uri The redirect_uri to the client (optional). It's required when the grant_type is authorization_code
code The authorization code received from the authorization server. It's required when the grant_type is authorization_code
code_verifier PKCE proof key
username The Identify username. It's required the when grant_type is password
password The Identify password. It's required when the grant_type is password
refresh_token The refresh_token. It's required when the grant_type is refresh_token
device_code The device code. It's required when the grant_type is urn:ietf:params:oauth:grant-type:device_code
client_assertion The client assertion. It's required when you use private_key_jwt as its client authentication method
client_assertion_type The client assertion type. It's required when you use private_key_jwt as its client authentication method
resource Indicates the target service or resource to which access is being requested (Optional). Multiple resource parameters MAY be used to indicate that the requested token is intended for multiple resources.
- Its value MUST be an absolute URI.
- The URI MUST NOT include a fragment component.
- It SHOULD NOT include a query component.
- Its value must be one of the configured Security token audiences.

If the request includes a resource parameter, the resulting JWT access token's aud claim SHOULD have the same value as the resource parameter in the request.

Additional rules validation

AdditionalValidationRules is an additional setting for the OIDC connection that lets you customize validation rules. This includes defining required parameters, setting required response claims, and prohibited response claims for the token endpoint.

The value for AdditionalValidationRules is provided in JSON format:

 {
    ...
    "token": {
       "requiredParameters" : "",
       "requiredResponseClaims" : "auth_time",
       "prohibitedResponseClaims": "nbf"
    }
  }
  • requiredParameters: defines a comma-separated list of required parameters to validate against the received parameters in the token request.
  • requiredResponseClaims: defines a list of required claims in the token response. Note that this setting currently only supports requiring the auth_time claim.
  • prohibitedResponseClaims defines a list of prohibited claims in the token response. Note that this setting currently only supports prohibiting the nbf claim and name claim.

Token signing

There are two settings on the OAuth/OIDC connection to specify the algorithm for token signing: JWS algorithm and Id token signing algorithm.

id_token_signing_alg

  • Access token: If the JWS algorithm is set to RSA Signing, the ID token signing algorithm (if specified) is used to sign the access token. Otherwise, the signing method defaults to None or HMACSymmetric.
  • Id token: The ID token signing algorithm is always used to sign the ID token. Its default value is RS256.